A moderately critical vulnerability that allows attackers to execute rogue PHP code on servers with certain configurations has been patched.
The flaw, disclosed earlier this month, allows users with “Author” permission to upload and execute php files with extra media extensions (.jpg or .gif) on web servers that are not configured to handle them.
A separate php code execution flaw that doesn’t require any special web server configuration has also been patched, but no exploit or details have been made public.
Other changes in this release address cross-site scripting (XSS) weaknesses and a privacy issue with WordPress backups.
The taxonomy querying has also been hardened against attacks and an information disclosure flaw that can result in the exposure of non-author user names was patched.
Two Microsoft researchers contributed media security fixes and the security of the file upload process was improved. A cleanup routine for unfinished imports was also added.
However, one of the most significant additions in this release is the clickjacking protection on the admin and login pages, which are most at risk of such attacks.
Clickjacking is an attack technique that abuses legit web programming techniques to hide and overlap page elements in a way that tricks users to perform unauthorized actions.
For example, an attacker targeting the admin of example.com blog could craft a web page that loads a button from the blog’s admin panel inside an iframe. The page could use CSS to make the framed button transparent and position it over an innocuous one.
The attacker could then use social engineering to trick the admin into visiting the page and clicking on the safe-looking element. In reality he would perform an unauthorized action on his blog’s backend.
Users are strongly advised to upgrade to WordPress 3.1.3. This can be done from the Dashboard > Updates menu and since this is only a minor update it shouldn’t normally generate any problems.
Source : Softpedia.com